From 0a17633de360fddb6b16060199a0628099239cf2 Mon Sep 17 00:00:00 2001 From: nucleogenic Date: Mon, 1 Aug 2022 13:47:23 +0100 Subject: [PATCH] Add HTTPS support to web UI --- easyinstall.sh | 17 +++++++++++++++++ python/web/service-infra/nginx-default.conf | 10 ++++++++++ 2 files changed, 27 insertions(+) diff --git a/easyinstall.sh b/easyinstall.sh index 71464b6b..350ef59c 100755 --- a/easyinstall.sh +++ b/easyinstall.sh @@ -55,6 +55,8 @@ OLED_INSTALL_PATH="$BASE/python/oled" CTRLBOARD_INSTALL_PATH="$BASE/python/ctrlboard" PYTHON_COMMON_PATH="$BASE/python/common" SYSTEMD_PATH="/etc/systemd/system" +SSL_CERTS_PATH="/etc/ssl/certs" +SSL_KEYS_PATH="/etc/ssl/private" HFS_FORMAT=/usr/bin/hformat HFDISK_BIN=/usr/bin/hfdisk LIDO_DRIVER=$BASE/lido-driver.img @@ -147,6 +149,21 @@ function installRaScsiWebInterface() { sudo usermod -a -G $USER www-data + if [ -f "$SSL_CERTS_PATH/rascsi-web.crt" ]; then + echo "SSL certificate $SSL_CERTS_PATH/rascsi-web.crt already exists." + else + echo "SSL certificate $SSL_CERTS_PATH/rascsi-web.crt does not exist; creating self-signed certificate..." + sudo mkdir -p "$SSL_CERTS_PATH" || true + sudo mkdir -p "$SSL_KEYS_PATH" || true + sudo openssl req -x509 -nodes -sha256 -days 3650 \ + -newkey rsa:4096 \ + -keyout "$SSL_KEYS_PATH/rascsi-web.key" \ + -out "$SSL_CERTS_PATH/rascsi-web.crt" \ + -subj '/CN=rascsi' \ + -addext 'subjectAltName=DNS:rascsi' \ + -addext 'extendedKeyUsage=serverAuth' + fi + sudo systemctl reload nginx || true } diff --git a/python/web/service-infra/nginx-default.conf b/python/web/service-infra/nginx-default.conf index 58804911..2e3c62f1 100644 --- a/python/web/service-infra/nginx-default.conf +++ b/python/web/service-infra/nginx-default.conf @@ -3,6 +3,16 @@ server { listen [::]:80 default_server; listen 80 default_server; + listen 443 ssl http2; + listen [::]:443 ssl http2; + + ssl_certificate /etc/ssl/certs/rascsi-web.crt; + ssl_certificate_key /etc/ssl/private/rascsi-web.key; + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; + ssl_session_tickets off; + ssl_protocols TLSv1.3; + ssl_prefer_server_ciphers off; location / { proxy_pass http://127.0.0.1:8080;